A perhaps disturbing summation of the state of federal cyber security: An internal audit found nearly 60 percent of Energy Department desktop computers were missing critical software patches -- and those findings don’t surprise security experts.
Officials risk disrupting agency business by applying patches because fixes likely would require pausing widely used programs, said Patrick Miller, chief executive officer of EnergySec, a federally funded public-private partnership.
The inspector general audit, which was released this week, covered unclassified systems at administrative offices departmentwide.
“It would actually be more damaging to the organization to patch it than to not patch it,” Miller said. “The reality is most organizations, the larger they get, the harder it is for them to manage their patching.” It is unclear whether the department compensated for holes by using other safeguards, such as firewalls.
The assessment revealed that many desktops and servers were running without security patches. Department-level systems handle budgeting and human resources data, as well as information on public-private investments, such as the controversial economic stimulus loan to solar power firm Solyndra. The now-bankrupt recipient of a more than $500 million Recovery Act award obtained court approval Thursday to sell its headquarters for $90 million.
About 58 percent of the Energy desktops tested used operating systems or software without fixes for weaknesses that had been discovered, in some cases, up to six months earlier. Also, 41 network servers were running operating systems no longer supported by their developers.
But, Miller said, defects are typical at fiscally strained federal agencies that are overseeing massive networks. “Those numbers are quite low for an agency of its size,” he said.
Some of the flawed systems operate critical department operations, though the report did not identify specific activities.
“These vulnerabilities could have resulted in a compromise of business information or unauthorized access to critical application functionality and data, as well as loss or disruptions of critical operations,” Energy Inspector General Gregory H. Friedman wrote.
Systems that run federal utilities and handle nuclear testing were not part of the evaluation.
The probe was conducted between February and November and examined facilities overseen by the undersecretary for nuclear security, undersecretary of energy and undersecretary for science.
A separate agency, the Health, Safety and Security Office of Enforcement and Oversight, studies cyber controls for Energy national security systems.
The study did not try to spot actual breaches.
In a Nov. 5 response to a draft report, Energy Chief Information Officer Robert Breese agreed to follow up on the uncovered problems. “The weaknesses noted in this report have been reviewed and corrective actions, to include the implementation of appropriate controls, have been identified,” he wrote. Energy offices will be expected to report quarterly to the CIO on their progress bolstering systems.
Systems powering federal utilities have come under the IG’s microscope several times during the past year.
In late October, the inspector general reported that the government's largest renewable power delivery agency was using a default password to protect a scheduling database, and regularly failed to update security software. The Western Area Power Administration distributes hydroelectric energy to utilities serving millions of homes and businesses in the Rocky Mountain, Sierra Nevada, Great Plains and Southwest regions.
Cyber experts said weaknesses flagged in a March audit of a Northwestern utility that powers 30 percent of the region, including key military installations, are typical of many government and industry energy systems. Eleven servers at the federal Bonneville Power Administration in Portland, Ore., used weak passwords, "an issue that could have allowed a knowledgeable attacker to obtain complete access to the system," the IG report stated.
Officials from Energy, the Homeland Security Department and the White House will highlight actions undertaken to help public and private sector utilities prioritize defenses at a Washington event on Nov. 27 hosted by Government Executive Media Group.